tv Communicators with Jeff Moss CSPAN August 26, 2017 1:28am-2:31am EDT
churchill read twice. -- a realgly, orwell proof newsletter for my boost your -- admire this in a real part of his life. >> sunday night on c-span's u.n. day. >> coming up next on c-span, an encore presentation -- this founder has a look at efforts to combat gun violence. later, senator elizabeth morning host a townhall meeting in massachusetts. c-span, where history unfolds daily. in 1979, c-span was created as a public service by america's cable television companies, and is brought to you today by your cable or satellite provider.
>> now joining us on the communicators, jeff moss. how and why did black hat begin? jeff: it began more than 20 years ago. i operate a convention, def con, the world's largest hacking convention. this was a time when there were no jobs for any of us. the only people doing security were maybe people in the military and banks. as the internet grew and there were jobs, and there is money at risk, all of a sudden hackers started getting jobs doing security. i kept getting emails, give me an announcement to def con to make it sound professional. i was rewriting our
announcements to make them sound corporate. one of my friends said you know what, throw a real conference. charge real money. make it professional. i thought it was brilliant. i was too young. i save my money for a year. then i started black cat a year later. every year it has grown for 20 years. host: what is the difference between black hat and devcon? -- def con. jeff: you happen info sec job. you are working for general electric or microsoft. you need to learn something you can apply hands on right away. i'm going to go home and defend my company against it. it's very practical but focused on enterprise. with def con, it is the sense of discovery, learning something new, picking locks. your corporate job is going to
teach you how to pick locks. hardware hacking, car hacking. conspiracy theories. everything that helps you learn how to learn. a friend brought up that we are teaching the next generation of hackers a way to think. there is the mentality of how to hack, which is a skill set. then there is a professional hackers. i liken this to an artist. you create when you want to. or a professional artist, working for a company. you have to be creative day after day. devcon is all about the people who want to be creative when they want to be creative. black hat is the transition to a day job. i have to keep up and know the skills i need for my job but i am going to go to def con because that is where my creative energy comes from. they have existed well together. they are different. but the people generally started in one and migrated to the other.
host: is there a subversive this? jeff: there has to be. that is part of the antiauthoritarian. even to this day a lot of what hackers are told is you can't do that. that is not possible. we don't believe you. the voting machines are secure. it takes rebellious nature to say i think i can break into the voting machines. no me your cell phone does have some problems. it just turns out people who are
good at streak -- speaking truth to power tend to be a little bit rebellious. the other thing is companies are telling you what the problems are. the government's are telling you what the problems are. the criminals are telling you how they are breaking in. it comes down to hackers and academics to tell you what is possible. when a hacker started messing remotely with a medical devise, the manufacturer said that is not possible. only when the hacker it district -- distributed it did the manufacturer say ok, we will listen to you. was that subversive or is that a public good? consumers now know, don't buy that bottle and put the fda on notice, they should be testing.
there is a generation of medical devices that are not safe. maybe the fda doesn't like it. but maybe they are not doing their job as well as they could. you never make anybody happy. a lot of times, they are doing this creatively. they don't care. they are doing it because it is there. host: where did the names come from? jeff: people get black hat confused. it is black hat briefings. the idea was, we are letting you know what the bad guys are doing and how to prepare. it got shortened down. it turns out that all these hackers and academics are a crystal ball. you would talk to your friends and say what are you working on? i found this little edge case with routing.
if it is interesting to them, it is a problem in the future for everybody else. they are the canary in the coal mine. years ago, saying the internet of things was going to be a problem. now it is a problem. companies who want to get a head start, way -- maybe there is a problem, then go build a product and sell it. people come for different reasons. now we are seeing more government appearances.
regulators, law enforcement. they are trying to figure what is coming next. def con was originally a party. everything was online. there was no internet. it was meant to put a face to a name. there was so much misinformation that it was no sense of a factual well when you could learn the truth. everything was word-of-mouth. there was so much misinformation. if i put a disclaimer on my bulletin board that said no undercover police officers allowed it is entrapment if they sign then. that doesn't make sense. that doesn't sound right. the first def con we had a prosecutor speed. and a lawyer talk about the liabilities if you are trained through virtual-reality that you are taught a mistake and reality you exercise the mistake. who is liable? the vr manufacturer? we were looking at these issues a long time ago. it became known as def con. my favorite movie, wargames. the main character is from seattle. def con plays a big role. in the early days i was a phone freak her.
the number three key on your telephone is the def key. i was living with a hip-hop producer. i'm talking about this hacker convention. a hip-hop guys don't know about hacking. as an describing the party one says that sounds def. it all came together perfectly. def con. host: what is a phone freaker? jeff: the phone freakers exploited the telephone network. steve wozniak, steve jobs, bill gates, these people who produce blue boxes that would allow you to place free phone calls.
back in the day the phone network was the largest network in the world. if you wanted to explore you basically were exploring that network. at work -- hackers were exploring the precursor. crackers specialized in movie copy protection. if you bought a game, crackers learned how the game was protected, reversed engineered it and then got around them. so, that was the three main communities. they had a different interest. telecommunications, software protection. now the line is blurred. as time went on, as criminals entered, it wasn't just a game, and joy of discovery. it became money. criminals came in and borrow techniques from anywhere they
could. they used to try to recruit hackers. now the criminals send people to college and university. they make a lot of money from these campaigns. they have giant research and development agenda. they don't need the hacking community anymore. we are trying to figure out what they are doing. they are doing this as a full-time moneymaking enterprise and the put in a lot of resources. i think what is going on now is the press did not know how to explain the criminal use of technology. they borrowed the term hacker, which was describing a skill set and use that to describe criminals using computers. instead of saying they broke into the bank, the hackers broke into the bank. that caused the schism. good hackers would still refer to themselves as hackers. to the outside world, we were security professionals. it was too long to have this conversation about what a hacker is or isn't.
it is a skill set just like you have a criminal plumber, or a great plumber. the skill set is the hacking. the motivation is what differs. host: is that white hack hackers and black cat hackers? jeff: that was attempting to describe motivation. criminal hackers were going to be called spiders. then the world wide web got invented. we are going to call them crackers. the cracking community was like that is us, we are not criminals. so, then it became colors of your hats. you could tell who the good guys were by the color pats. that is how it came about. now you an ethical hacker, it is really muddied. i just stick with criminal and
not criminal. host: who attends this? jeff: black hat, hard to say. probably around 15,000 people. it is a long program. there is training and the main conference. some people come just for the conference. devcon, 25,000. pretty big. it is interesting. for black hat to me you can preregister. for def con it is all cash. there is no credit card records to subpoena. it is optimized for speed of registering people and not being a target for law enforcement. >> when we told people we were coming out here, turn off your phone. don't use a money machine. avoid anything electronic when you are down there.
jeff: that is the myth. you have to remember now, it is pretty hostile everywhere. now, every airport seems to have a fake cell tower. if you're going to steal somebody's login why not at the business lounge? that is where high-value targets are. if you monitor, you will see these fake stations. d.c. has a fake cell tower. this is the way that it is. if you are a criminal and you can build a backpack to intercept information, that is so much more low risk than trying to rob a bank.
bad guys will try to do that. you have hackers who want to test things out. they know it is a free-for-all. they will be fake cell towers. people trying to detect the fake towers. law enforcement trying to detect people. for intelligence. -- foreign intelligence. we had a film document recruit. they were french born legion, actually intelligence trying to identify who the people are they cared about. we had our own intelligence that were following around their intelligence. i'm sure there was another. there are so many layers that i have learned not to be surprised
by anything. but it is a fascinating glimpse of behind the curtain. how does technology work behind the curtain? what do other governments do? i was at a def con winds and somebody came up to me and said i want introduce myself. i'm with the defense intelligence agency. what are you doing here? aren't you supposed to count typewriters? what are you doing here at a hacking conference? he said i'm trying to figure out
if other countries are trying to recruit our hackers. that sounds important, that how? there's a room with 500 people in it. how do you know who is trying to do what? what i do, i lean against this wall and watch for other people watching and pay attention to the watchers. fascinating. so, every year i love learning a little more about how the world works. host: you had michael rodgers out here. jeff: no, the director before him. keith alexander. >> that was fascinating. >> it took you years to get him out here. >> that position. we have gotten people from the dod. we have gotten a lot of other people. never the director of the nsa. it was right before the snowden revelation. it was at the very peak of goodwill between the hacking community and law enforcement. after that it has been downhill. host: why? jeff: a couple of reasons.
one was there was a sense that we were all working together. we were all trying to make the world a better place, trying to protect networks. have fun while we were doing it. the intelligence folks had a bit of mystique but we knew they were using the same technology we were. it was an alien technology. they were just using it differently. we could relate. over the years, whether it was dhs or fbi, in cips, they were interested in what they were doing. we were sort of becoming friends. there was a lot of you never really let on you were monitoring the citizens so severely.
that was -- the hackers felt that was too extreme. whether it was because of government oversight lacking, maybe it is not their fault. oversights fall. whatever. weber's fault it was. a lot of people felt like trust was betrayed. a guy was telling you something it confidence and it ended up here. that is not why i told you about this. i told you about this to protect government systems, not to do something else. there is a huge cooling-off. that next year i asked the fed to please don't show up. not that they were welcome. but there was going to be drama if they showed up publicly. there were angry people. i didn't want people fighting. i didn't want to have a scene. tensions were hot. since then things have cooled down.
intelligence agencies have engaged. the fcc, the ftc. we get some people from dhs trying to do some stuff on smuggling. we get the good parts, the noncontroversial parts. trying to stop rowboat laying, make home routers more secure. things everybody can identify with. i think dhs was talking about u.s. cert and outreach to companies. had we help learn what bad guys are doing. it will be a well before intelligence agencies are going to convince hackers that they are not impartial, but they have their cards on the table. that is just the way it is. some people said it is better this way. we preferred the gray areas. it was getting too much light on us. i think it will be a pendulum.
>> would you like to have anonymous out here? jeff: they are here all the time. anonymous is anonymous. i'm sure there are hundreds. organized crime people, intelligence pupil. that is the interesting thing. there is a lot of law enforcement from a lot of countries here learning. there's a lot other people here learning. academics, people who want to make movies about this.
we have created a melting pot. in the early days, vegas acted as a filter. we are not in the middle of san francisco. you have to get on an airplane and fly to vegas in the summer. you only came here if you were really interested. you didn't just hop on a train and come down. so we had a good formative years of people who cared about this. that became the core for the conventions now. now it seems people think they have to come because it is a big event. it went from network security people to telecom. then marketers had show up because their customers were here. at its heart, at its core are these technologists, hackers trying to figure out how the technology works and how -- what to do about it. as long as you can keep that, the heart of the conference will keep beating. host: are you glad it is growing?
jeff: i love the growth. i hate the growth. it is both. i'm conflicted over it. when i started def con, there were two other hacking conferences. they were invite only. i wasn't invited. or i couldn't get there. i was too young and wasn't traveling to atlanta. i decided if i'm doing a conference it's going to be open to everybody. that led to problems. if it is invite only, how many people are going to show up? had you plan for something when you don't know how many are going to show up? if you don't know who is showing up, what prevents 100 law enforcement people from showing up? you can't control the demographic. on the other hand, they are interested. they care enough to show up. maybe they will add and contribute. that is how it has worked out. from 100 people the first year, to 25,000 people this year. it is bigger that it is reflecting the changing demographics. more women are involved. more artists are involved.
more large enterprise. in the early days we were hacking on two or three technologies. you couldn't get there without the growth. some conferences are still invite only. they stay small. there is absolutely a place for that. consciously i wasn't going to be that elitist. i was going to let anybody show up. i have to live with the conscious -- the consequences. control the tenets or keep an open door policy.
host: when did you start hacking? jeff: when i was 12 or 13. it depends on hacking. i didn't think i was a hacker until 14 or 15. in hindsight, i probably was. i was copying games, reverse engineering protection. hacking more about overclocking to make your computer go faster. trying to get more out of your pc. later on i was into phone freaking. i caught a hacker breaking into my bulletin board system. when i caught him, he was like i'd don't know what you are doing, the you are doing something. he said, you caught me. this is how i did it.
moment. before, technology just kind of worked. and then i questioned every assumption. they are clearly not doing what i thought they were doing. host: did you ever get in trouble? jeff: no. but back then come a there were no laws against any hacking. different than today. i'm worried about the current generation. these federal sentencing minimums, you could run automated tools and get more jail time than driving drunk and killing someone. sentencing guidelines are crazy. you see this sometimes. i want to participate in civil disobedience. i'm going to tos that evil bank. he has a felony conviction now and is in jail for a number of years. his employment options are destroyed. for participating. i'm not saying that is right for legal, or should be legal. i'm saying the panache -- punishment is disproportional to the harm. that didn't exist when i was a kid. back then, there wasn't really anything online that you could harm. the mentality was look but don't touch.
it came from ham radio operators. you can listen into people, whatever you hear wirelessly is legal. if you act on it, that becomes illegal. this is an fcc law. if you go to their house and still cash, it is an additional crime that you learned it and acted on it. that is where this came from. explore these networks. even if you break in. don't touch anything. you are there as explorers. so, some of that old still -- old-school hackers still think that way. the problem is the computer fraud and abuse act now really treats just even looking as a crime. with some bizarre results. that law was created in the late 1980's. so, it is predicated on this concept of permission. if you run a bulletin board you permitting me to login.
you are not giving me permission to break in. if you read that law, any time you connect to a website, you are not hitting permission. -- getting permission. there is a lot of -- this is what tripped up aaron swartz, his downloading of legal documents he had permission to download. they claimed we didn't give you permission to download all of them. he took that permission to mean i will automated and download everything. that is when he was charged and a zealous prosecutor was trying to give him federal maximums.
eventually he committed suicide over that. downloading a lot of documents, maximum sentencing. these problems are still working through as a society. these changes in technology is our what is forcing the issue. a lot of folks intentionally or unintentionally are people at these conferences. they are pushing the technology. they are seeing what it is capable of. a lot of times you run into the law anyway the law never intended. host: besides yourself on the convention floor, who else will be a rock star to the folks attending? jeff: i don't like the term rock star. there's a lot of people. as a community we have done a good job of trying to mentor the next generation. there are some rock stars that
love to put on a show. one of the greatest was barnes. barnaby jack who passed away. he was famous for hacking an atm machine onstage. he hacked it and made it spit hills out on stage. -- bills out on stage. the makers were saying that is not possible. if he is going to show you that it is possible he's going to do in the most spectacular way. it was a celebration, he spent months trying to figure out how atm's work. it took him a year of work and it common aided in 40 minutes. you get a lot of that. i have been working on this for two years. it is all going to come out in minutes. my years of effort. when you see what you see on stage you have to respect this work that has been done before. all the other people who made it possible, they are standing on the shoulders of giants.
nobody here just invented it. it is like a musician. you are always on the shoulders of those before you. some people are more famous than others. charlie miller, chris belichick famous for hacking smart cars. they did it in spectacular fashion. i remember him trying to get warranty service on his car. what happened to this car? nothing. there is a lot of people, and a lots of women are really getting involved. i find that the most interesting. as a tech community and hacking community, we are just not good at bringing in other ethnicities and genders. for a number of reasons. i think about 11% of attendees
are women. that is maybe a percent or two higher than the tech industry, but a lot lower than other industries. when you think about why is that, well, in the security field you are pretty much on call 24 hours a day. something goes wrong, you are to blame. if you are doing defense, you don't get a reward when you keep the hacker out, because you don't know when you keep the hacker out. it is kind of thankless. it is like trying to prove a negative. if you are a salesperson, you immediately know when you made a sale. the company is happy because you sold more product. in security, you don't get those kinds of feedback. i don't think a lot of people, when you are in college and evaluating where you want to go,
security, maybe, but if you delve into it, the first years are brutal. it is sometimes a pretty thankless job. host: what threats are here today that weren't here 5, 10 years ago? jeff: a lot of new threats. it reflects the technology we are bringing into our homes. three years ago i didn't have to worry about the fbi or a bad guy trying to access my dialogue with my siri or alexa. alexae fbi is subpoenaing conversations. technology is now potentially your spy. maybe it is not the fbi. but maybe you are in a bad divorce and your wife or husband subpoenas the documents to prove you are cheating. that is not what the technology was there fore. but that is what it is going to be used for.
we have these smart thermostats and toasters. when was the last time you updated your cell phone? probably the last two years. when was the last time you changed your smoke detector? probably never. these devices are going to be in our house for five or 10 years, insecure, and connected to the internet. what we are seeing is the beginning of a tidal wave of insecure pervasive technology. a lot of times, the cost of replacing for a company is greater than the cost of the smoke detector. there is the physical labor involved with these devices. that is where we are going. where we are now is we have a lot of risks that we don't understand.
we don't accept the risks yet because we don't understand them. the smart car, go to ford and ask what information are you sharing with advertisers? they are not going to tell you that. you have a lot of risks, whether it is personal or against a lawsuit or financial, or behavioral. you are being placed in a bubble, almost a perfect marketing bubble. you will see the articles you want to see. you will get the radio songs that you like. but you are never going to be exposed anything new. micro-targeted advertisement and mail that you get will be targeted based on your behavior. you will slowly find yourself in a bubble of your own choosing based on your behaviors.
the famous examples, i wish i could go to hawaii, and the next thing you know you are getting advertisements for hawaii. imagine when it is more pervasive. you put your wi-fi on, they track that. they know everywhere you have been in the supermarket, how long you stood in front of pringles. maybe we need to change the lineup. let's adjust how we show the aisle.s on the pringles next thing you know, they share that with the next person. and they monetize that. this is for totally legitimate purposes. let's have less waste. but at the end, the profile they build about you is amazing. that is what was happening in the background that we don't even realize is occurring. a lot of times, maybe we should have a conversation about it. instead, it is happening to us.
that is going to present itself in bizarre ways. imagine a presidential election when all of this demographic information is available about the candidates. if you think about it now, if you were malicious and happened to work at uber, and you had access to bloomberg data, you -- to uber data, you could probably tell where your senators and representatives were driving to. you can probably figure out who is meeting with who, where, and when, and who was cheating on whose wife, where, just between your cell phone and your uber. you could uncover a lot of meetings that are not supposed be uncovered. nobody realizes this. it is -- there is a trade-off, i
guess. hackers are maybe more conscious of the trade-off, but there is a trade-off between usability and privacy and security. we are making the trade-off for usability and ease-of-use, but we are not doing it consciously. when you drive over 60, and your steering wheel starts shaking, you are thinking, i'm making a trade-off. this is getting dangerous, but it is exciting. but i know i am sort of at the edge. with technology, your mouse does not vibrate. your phone does not get hotter. you don't know when you are doing anything risky online, and you don't know where the limits are. you blow through them all not realizing. when you do something risky online and it comes to bite you in the ass, it's impossible to tell what the bad behavior was. maybe your credit score is now down. maybe your credit card has been stolen.
was that something from last month, last year? what was the bad behavior that harmed me? you can't figure it out. so you can never create this loop, unlike when you are fast, the steering wheel shakes, and you realize, i going to do fast. -- i am going to fast. there's no feedback loop like that online. host: how do you personally protect yourself and your own devices? jeff: i'm a big believer in simplification. i just don't have many apps installed. host: do you use uber? jeff: no, i don't. host: because of the tracking? jeff: why do they need to track me when they are not calling for a car? apple has been making good progress about not allowing apps to geo-locate you when you are not running the app. maybe once they put in these protections, i will use more apps. just because i like linkedin doesn't mean i want them to
track everywhere i go and tell me when i am near another linkedin user. that was one of the big changes, so i stopped using linkedin. or i use it for my pc. that is inconvenient, but i decided to make that trade-off. i don't need every where about recorded and monetized. it is a pain, but i am getting less of a footprint. i'm not getting the big bubble created around me. i block what i can. that means there are websites that i sometimes can't go to. i can't go to fox news anonymously. so i just don't go to fox news. i go to the other news sites that allow me to browse anonymously. i am missing that a little bit, but i think i'm getting more than i am losing in the bargain.
host: do you use wi-fi? jeff: i am using wi-fi, but i use my own vpn. i am not trusting the hotels -- the hotel's wi-fi. to me, it is an on-ramp. i use my own network to get to trusted systems. with this net neutrality d later -- deregulation coming up, a lot isp's, whether they do or don't, legally they are in a much better position if they want to watch your traffic, see what you are doing and inject advertising into webpages you go to, or watch the websites you go to, and sell that. you are browsing your favorite sports team and next thing you know you're getting sports advertising. you are alike, i did not tell anybody i like that team, but isp is trying to figure out -- never mind you are paying $50 a month. they are trying to make the or
$.50 off of you. i will find a way to bypass it. i will use a vpn and get away from my local isp. i will pop out in somebody else's isp. that isp does not know who i am. they don't know my address. yes, they know there is a vpn user that likes a sports team, but they can't type that back to me. whereas my own isp can. they talk about the last mile of getdband -- i am trying to one mile away from my isp because they are in the position of trying to watch everything i do and monetize it. host: have joined assange or edward snowden ever spoken remotely at this convention? jeff: no. peter: would they be the types of people you would want to have them on? jeff: we keep thinking about inviting them, but i don't think so. stealing a bunch of secrets
doesn't make you a hacker. a lot of people can steal things and release them to the press. that doesn't make you a hacker. i will buy you a beer and listen to your stories, but that doesn't mean -- what are you going to tell hackers? and then i used the photocopier, and then i went to the press. we figure that out. it is unclear. they have spoken at every venue they could possibly speak at. they are world famous, and they are not going to the revealing anything new. and there's a lot of people that feel that was a violation of trust. there are other avenues of revealing what snowden could have revealed. but he did not. super controversial. nothing new, technically. so, give the stage to somebody else that is doing something.
, often at amoss convention, one or two themes emerge. we have attended ces several times. there is always a theme. we have been hearing social engineering, liability. are there any themes developing? jeff: i think you are right about liability. i have been speaking about liability for years. i tried to couch it like this. if you have a car, a smart car, and something goes wrong with the software and you crash, there is liability. but if you make a database and it sits in a server room and it crashes and you lose millions of dollars, there's no liability. what is the difference? one is a data center on wheels, one is a data center sitting stationary. one has liability, the other doesn't. they are just software. at some point, the competitive
disadvantage -- oracle gets a free pass because they have a shrinkwrap license. tesla doesn't get a pass because they have a person in the vehicle. but at some point, the data on the oracle server is affecting lives. to say that one gets no liability and one does doesn't make sense. i think what you are going to see is pressure from companies using software with liability to make the whole industry have liability. with the internet of things, as the toaster burns down a house and kills someone, there is going to be liability. right now the only thing running is my game console, my phone, my tv. when it is running your whole house and something goes wrong, you are going to be impacting not just geeks, you are going to impact average consumers that are not interested in the back
story about why their toaster burns down the house. the industry has been resisting and resisting. if they don't self regulate, it is quite to be like every other industry. government is going to fix it for you. we are in this period that if the industry can't figure out a way of guarantees or liability protections, if they don't figure it out, the government is going to come and do it, and you are not going to like the results. i'm not going to like the results, but there is no other avenue. software is going to be so critical that they are not going to let there be no liability. host: two companies come here and recruit? jeff: oh yeah. expensive recruiting. people come here looking to change their jobs. they are always looking for a new challenge. you tend to define people for sticking in their jobs for three or four years, then they are
looking for green fields. especially if they want to do something new. a lot of smart card companies. -- space is getting interesting, so a lot of people are trying to get into spacex or blue origin. there is always something new going on. medical devices. there is a lot of action in that area. you have these black boxes. these algorithms that are trying to determine machine learning, based on your behavior. what time you wake up and go to sleep. when you are driving. they are trying to figure out ways to calculate new tables to save money on insurance. they have all this new data. it is an innovative time, whether you like it or not. we are in the golden age of data. it is going to impact everything about us.
you asked an earlier question about themes. another same i didn't think would be so popular, voting machine hacking. a couple years ago, i started a village called the tamper evidence village. you know how in a movie, they have the evidence bag and they tear it open? i kept thinking, you've got to be able to get around the evidence folder. or the money bag. or you see on your electricity meter, it looks very roman. i figured, how hard is it to get around that stuff? i don't know, but i bet some of these hackers do. how to defeat evidence, get past seals. nobody was doing that before. now there is a whole body of knowledge about how you defeat
these tamper evidence stickers pes.ta i was looking at something new. voting machines are in the news. i'm sure people have been beating these things up. you can find them on ebay. i looked around and couldn't find any information. hackers have not been beating on these things. academics have a few publications. but there is nothing to really know. i was like, i don't know about these either, but i that i can buy some on the ebay and invite hackers in. this year it is exploded. we have all these voting machines. we have county commissioners, election officials, people from dhs. it has turned into a crazy assemblage of anybody interested in hacking on these voting machines. the more you learn about them, the more scary it becomes.
there is excitement in that area because it was not done last year and it is new this year. host: you have a ba degree in criminal justice from gonzaga. jeff: the first graduating class in criminal justice at gonzaga. i thought i was going to be an fbi agent. for career day, we were getting all these talks and speakers. an fbi agent told this incredible story about chasing these bad guys. unbelievable. when i saw that, i was like, that's what i want to do. i did not know any better at the time. i went to college and took computer science classes. i never really knew what i wanted to do. i was enjoying sociology and psychology and criminal justice classes, so i figured that's what i was going to do. i graduated, and it was during the federal hiring freeze. the only law enforcement hiring -- at the time was
the fbi. i typed up my 20 page application and send it in. crickets. nothing. they said we lost that. can you file that again? this is a secret way, they are going to compare the results from my first application and my second one. i sent it in again. a week later, two weeks later i get a call. i start talking to special agent murphy. tell me about your vision. well, i want to help people. he said, no, your eyesight. what's your vision? i said, ok, it's 20/20 in one in the other. he said that is not good enough. sorry. ok, sorry. that was it.
no chance to have a career in the fbi. six years later, i tell an fbi agent that story. he said that there was no eyesight requirement. he just did not want to process your paperwork. you should have caught on to that. he said, i bet if you applied to the office in seattle, you would have been fine. but in spokane, they probably just didn't want to deal with your paperwork. my whole life to one decision. host: where did you grow up? jeff: the bay area. -- wererry your your parents in tech? jeff: no, teachers. i'm the only business person. i always have the weird business stories. they have the weird academic stories. host: how many hours a day do you spend in front of a screen? jeff: you find in tech as i progressed in my career, do more advisory work, i do less
hands-on. just the nature. to stay connected, to feel i am not a sham, i still maintain the def con servers and update the systems. i spent a fair bit of time defending our network other people attacking it. that gives me enjoyment, and it is a huge pain in the ass. but you have to do one to stay current. i am more on mobile now than on my laptop, because emails i can do quickly, but when you are working on servers you need, like, five screens and a lot of screen real estate. : has black hat been hacked?
would that be a badge of honor? jeff: def con was hacked a couple of times. i was hosting with a friend, and another hacker buddy saved up his exploit for nine months, waited until the convention to deface the website. it was being hosted by a friend's server who did not have the right update. they made it a tongue-in-cheek fun thing. that is when i took over. ever since then, i ran my own service. that is where i decided i will not let anyone else run this stuff. host: does this world make you paranoid? jeff: i wouldn't say paranoid, because everything is based on fact. it is not paranoid if they are really out to get you. when you are getting threats of people posting challenges
online, you know they are out there. yesterday i tweeted that somebody was trying to break into my twitter account, and i kept hitting all these emails that said, here is your new twitter reset. whoever is trying to break into my twitter account, please stop. i need my twitter account for the next week or so. cut it out. and they stopped. -- don't call it paranoia if they are really out for you. paranoia comes in when people ascribe too much importance, maybe, to what they are doing. the nsa is not going to task a $50 million satellite to spy on you going to the supermarket when the local cop can just follow you there. that level of disconnect would be paranoia. if you're being a criminal, don't be surprised if law enforcement is after you. but just because law enforcement is after you does not mean the
cia is mobilizing the whole division to come after you. that is a little crazy. there is a lot of that going on, a sense of over importance. becauseweird situation, let's say you are a hacker and you are starting to do something in the gray area. maybe something that could be criminal. people always say, they are not coming after you. i am not doing anything. ok, but they don't know you are not doing anything. law enforcement only knows you are not doing anything until after they have looked at you. they don't have some magical presence where they say, oh, that person is not doing anything, let's not look at them. sometimes people feel it is unfair they subpoenaed me. but look at how you were behaving. look at who your friends were. the only way they are going to know if you're a bad guy is if they go in there and stir the pot. don't be surprised. that was a lot of how law enforcement in the early days
would catch people. they would go in, stir the pot, bust one person. they would roll everybody up. it is not rocket science. and you see what is going on now, there was a big dark market bust where the police had one dark market, they busted another one, gathered all those people's information. just basic law enforcement tactics. i don't know where i got off on that route. it was maybe the paranoia question. host: do you presume everything you put out there, everything on your phone is public? jeff: you have to, i think. i make sure i am protected as best i can, but i am not going to be surprised if one of my conversations comes back at me, even though i think it was protected.
i was chief officer at icann. it was a pretty high-profile job. we knew our ceo was targeted. i remember talking to him about the risk, how is he thinking about this? he said every time i write and email, i'm writing for three audiences. i'm writing to who i'm sending the mail to, to the foreign nation states who are spying on me, and the congressional inquiry if i ever have to testify. that is the job of the ceo. >> what kind of consulting work did you do at dhs? jeff: i am still involved. i'm on the homeland security advisory committee. were are about 40 of us, and advise the secretary on whatever the secretary wants. in the past, it has been on how the department accelerates their cyber skills. how do they develop in their workforce better skills? it could be resiliency in government.
we did a task force. how can we minimize that? so, really, we just wait for challenges dhs might be facing and we figure out the question and we go ahead and do that. i'm also involved in the atlantic council, bringing to def con the cyber caucus. we are going to have a bunch of representatives out there this year. that will be really cool. the week day and the timing the caucus can travel out of, they can only come on the weekend. i am involved with the council on foreign relations, which is always fascinating because we are always looking at the global governance. and where is this going from an international perspective?
it is a fascinating time to be alive. off throwing parties with your friends 25 years ago, now you are advising governments and companies. you can't make that story up. host: should there be a data protection agency? jeff: there should be a national privacy agency. canada has one. is not enumerated in the u.s. constitution. it is inferred. dhs is one of the only agencies that has by law mandated to have a privacy officer. i think that should just be a standard thing. privacy of the constituents of your workers, of citizens should be a factor in whatever legislation you propose. it's not, you know, i think that's, too bad, because as we see in the internet age, that personal information is really what is of value.
uber makes almost as much money selling demographic data on its riders as it does selling rides. it's tremendously valuable. host: jeff moss is the founder and creator of blackhat and def-con, and he has been our guest on "the communicators." [captions copyright national cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] in 1970 nine, c-span was created as a public service by america's cable television companies, and is brought to you today by your cable or satellite provider. this week, senator dick durbin was in his home state of illinois to discuss .fforts to curb gun violence he also talked about the importance of providing mental health or -- mental health services for those who experience violent crimes at a young age. this is about 45 minutes.